Real-time malware defense: Leveraging AWS Network Firewall active threat defense
Security Blog
This article explains how AWS active threat defense for Network Firewall uses real-time intelligence from MadPot honeypots to detect and block malware and cyber threats across multiple attack stages.
- MadPot honeypots detect threat actor infrastructure within 90 seconds; active threat defense deploys protective rules within 30 minutes
- Uses Swiss cheese model: multiple imperfect defensive layers block threats at reconnaissance, exploitation, malware delivery, and command-and-control stages
- Blocks attacks across DNS, HTTP, TLS, and TCP layers simultaneously to prevent threat actors from bypassing single defenses
- Real example: CVE-2025-48703 CyberPanel exploitation campaign targeting Mythic C2 framework blocked at multiple infrastructure points
- Integrates with Amazon GuardDuty for threat detection findings and AWS Network Firewall for active blocking
- Automatically updates protection rules as threat actors rotate domains, IP addresses, and infrastructure
Active threat defense provides automated, multi-layered network security by translating honeypot intelligence into firewall rules within 30 minutes, disrupting attack chains before malware delivery and command-and-control communications succeed.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
2025
2025
2024
2025
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.